If this is your first visit, be sure to
check out the Forum Rules by clicking the
link above. You may have to register
before you can post: click the register link above to proceed. To start viewing messages,
select the forum that you want to visit from the selection below.

Crazy future client WEP attack idea

I make a tutorial, you guys complain, I try input my ideas to the backtrack community, you complain some more.
you can delete my account, I'm done here.
and even though you might think you're 'the man' in here, in real life, your nothing but a bunch of nerds with no life.
I've got a house, some money saved up, and a steady girlfriend, so you can shove your backtrack where the sun doesn't shine.

Re: Crazy future client WEP attack idea

everyone who uses WEP would be vulnerable to this ultimate attack.

EVERYONE that uses WEP is already vulnerable, regardless of your plan. What I don't really understand in your plan is why the rush? If you're conducting a true penetration test, then it shouldn't really matter if it takes 25 seconds to crack WEP or if it takes the normal 60 seconds or so.

A third party security audit is the IT equivalent of a colonoscopy. It's long, intrusive, very uncomfortable, and when it's done, you'll have seen things you really didn't want to see, and you'll never forget that you've had one.

Re: Crazy future client WEP attack idea

You don't get it. I don't want to offend you, but I suggest you read through it again. the thing that's new, is that you would be able to attack any WEP client (that uses Windows, or Macintosh too I think) with MITM tools, or metasploit and such. it isn't about the WEP key, we just need to crack it as fast as possible, so the Windows auto-reconnect function doesn't stop, and the client doesn't know what's happening. and while we would crack the client his WEP key he configured to encrypt his packets between him and his real ap, I suggested some packet injection with the PRGA to keep the client busy. It's not the easiest thing to explain.

Re: Crazy future client WEP attack idea

I don't want to discourage you and your ideas either. But wep is dead. You can crack it as Streaker69 mentioned in a matter of seconds. So it doesn't matter what the the computer that is using wep is doing.
Any one that is using wep is probably not going to no that there is something "bad" taking place anyway. Once you are on the network it is only a matter of time until you can compromise it.
I think you are trying to re-invent the wheel here. But like I said don't be discouraged, just maybe find a better use of your time and energy.

Re: Crazy future client WEP attack idea

Originally Posted by Lucifer

You don't get it. I don't want to offend you, but I suggest you read through it again. the thing that's new, is that you would be able to attack any WEP client (that uses Windows, or Macintosh too I think) with MITM tools, or metasploit and such. it isn't about the WEP key, we just need to crack it as fast as possible, so the Windows auto-reconnect function doesn't stop, and the client doesn't know what's happening. and while we would crack the client his WEP key he configured to encrypt his packets between him and his real ap, I suggested some packet injection with the PRGA to keep the client busy. It's not the easiest thing to explain.

.L

I fully understood what you're saying, but I think you missed my point. WEP is broken, it's been well known to have been broken for at least 9 years now. I believe that it can be cracked in around 60 seconds as it stands, so why the rush? Do you really think that anyone that's still using WEP is savvy enough to even suspect there's something else going on if they can't reconnect in less than 60 seconds? Just because it takes you a long time to crack WEP doesn't mean that it takes long across the board. It sounds as though the length of time to crack is more or less your problem. But hey, go ahead and do whatever you're going to do. But to me it sounds rather pointless.

A third party security audit is the IT equivalent of a colonoscopy. It's long, intrusive, very uncomfortable, and when it's done, you'll have seen things you really didn't want to see, and you'll never forget that you've had one.

Re: Crazy future client WEP attack idea

I don't think the OP's point is to crack WEP faster, his point is that he wants the victim to attach to his fake AP.

"when we use airbase-ng -P -C 30 mon0 and use airdrop to break a connection between a victim and his real AP, the client will not auto-connect to our fake ap, airbase will only have faked the essid (due to -P -C), but we didn't supply the WEP key the client is using, and we cannot force the client to use an unencrypted connection, so the client will not auto-reconnect to our fake ap."

I suppose the idea is that you crack the WEP fast, then set up your fake AP with the WEP key you cracked, then he connects to your AP.

This idea came from my first one, the difference is that this one is actually possible with the current tools/techniques.
airbase would need quit a bit of coding, but it's possible.
it would work for WPA(2) clients aswell.
this would definitely work for Windows victims, and maybe Mac victims.
I'm not sure how a linux client would respond to this.
I'm thinking big, some might think it's stupid, but I'm just sharing what I think would be great future updates.
You'll have to use your imagination, and follow me on my path of thoughts.

What does this technique solve? Making it possible to force any WEP/WPA(2) victim to join our fake ap instead of the victim's real ap, in such a way that it cannot fail, and in auto-mode, so we wouldn't have to sit and wait at the computer all the time.(any WEP/WPA(2) client of which we know the encryption key the victim uses on his real AP can be forced to auto-connect to our sofAP)
If it would be coded the way I'll explain, than it would run in auto-mode, we turn on our fake ap, setup the internet connection for victims, and start our MITM tools.
airbase would take care of the rest, just let your fake ap run, the dream comes true.

Imagine you had a big house, with 3 AP's, and 4 brothers, every one has his own ap, WEP security enabled.
AP 'AA' with brother 'A1' and brother 'A2'
AP 'BB' with brother 'B1'
AP 'CC' with brother 'C1'
You've told your brothers what you're planning to do, and they agree, except brother 'C1', he told you not to crack his WEP key. always make sure you're doing nothing illigal.
for this to work, you would need to crack every WEP ap in your range, and supply all the WEP keys in a airbase-ng.conf file.
Imagine this:
airbase-ng -P -C 30 -W 1 mon0, and all your mitm tools up and running, and an internet connection to our fake ap is configured.
airbase responding to any client's probes, and WEP flag set.
Like I said in my previous topic about my idea, Windows clients (and possibly Mac/Linux users also, I'm not sure) only care about 2 things for it to auto-reconnect to a known network; the essid and the encryption.
airbase up and running, suddenly your brother A1 comes online, and airbase notifies us with a gentle beep, so when we're not at our pc, we'll know a WEP client is in our range, and it is a client that we can force to authenticate to our fake AP, since we know this client his WEP key from his real AP.
So airbase picks up his probes, and knows this is a client who connects to AP 'AA'. airbase auto-configures airdrop-ng to start disabling the connection between your brother 'A1' and his AP 'AA', and also sets the WEP key we specified in the airbase-ng.conf for AP 'AA'.
Brother 'A1' gets kicked due to airdrop, our fake ap essid is set due to -P -C, and airbase configured the WEP key specified in the airbase-ng.conf, your brother 'A1' his Windows machine will auto-connect to your fake AP (his real AP is unavaible due to airdrop running),so there's no escape possible.
we start our MITM attacks, or whatever we want to do.
but suddenly, your brother 'A2' also comes online.
again, a gentle beep from airbase to let us know there's a new WEP client of which we know his real AP's WEP key, and airbase does the same with him, starts and kicks him with airdrop untill he connects to our fake ap, essid is already set since your brother 'A1' is on our fake ap, and the WEP key remains the same as 'A1' and 'A2' connect to the same ap 'AA'. both are online, and surfing the web through your fake ap, while we are sniffing their data.

but then, your brother 'B1' turns on his Windows computer, and connects to his AP 'BB'. We have also cracked his WEP key before, and added it to airbase-ng.conf.
airbase picks up his probes, another beep to let us know there's another WEP client which we know the WEP he's using, but since airbase would have to change the WEP key to ap 'BB' his WEP key, it prompts us to make a decision, letting brothers 'A1' and 'A2' continue on our fake ap, or force the new client, brother 'B1', to associate. (if we would choose the new client 'B1', then again, essid will be set by -P -C, WEP key auto-set to the one AP 'BB' uses, the one which we supplied in the airbase-ng.conf)
ofcourse there would be another function to airbase which can auto-decide what to do, change client(s), or not, we could, for instance configure this in the airbase-ng.conf file, for example: there should atleast pass 10 Mb/minute through our at0 interface, (which would mean the client(s) are actively surfing the net, which is what we want, so we can capture as much data as possible), and if the minimum mbs/minute or MBs/hour aren't reached, then airbase will auto-switch when there's a new known client avaible, a client like your brother 'B1' of which we know his WEP key. Such a function would be easy, because we want active clients, not clients who just sit there and do nothing. An attacker who just wants to exploit a client, would not care about how much the client(s) surf the net, so this function could be disabled aswell. And when disabled, airbase would always beep and prompt us to make a decision, switch client(s) or not.
so brothers 'A1' and 'A2' are no longer connected as they didn't reach the minimum traffic I configured, 10Mb/minute, and brother 'B1' was avaible, so airbase auto-switched, using the proper essid and WEP key for this new client.
all this time, my MITM tools have been running and capturing what I want, 'A1','A2' and the current client 'B1' have all visited hotmail.com, and I've captured their usernames and passwords.
lastly, our brother 'C1' is online and connected to his AP 'CC', airbase hears it's probes, but this time, airbase makes a different beeping sound. why? to let us know there's a WEP client in our fake AP his range, but it's one of which we don't know his WEP key from his AP 'CC', as we didn't have our brother 'C1' his permission to crack his AP, so we didn't specify his WEP key in the airbase-ng.conf.
So the different beep would be handy to let us know about this client being in our range, but we cannot force it to connect to our ap yet, he would be a future victim ( at least if we get permission from 'C1')
airbase would also prompt 'client C1:C1:C1:C1:C1:C1 ignored'.

And airbase would need quit some recoding, maybe including the ability to set WPA(2) encryption aswell, so we could do the same with clients who connect to WPA(2) APs.

note that this has nothing to do with the actual wpa cracking itself, wpa cracking will still be hard, but if you could crack wpa AP's in your range, then you could add these to the airbase-ng.conf, and any client from that WPA ap can be kicked, and FORCED to connect to our fake AP if these functions I explained would be added.
I'd do it myself, but I've got no coding skills, too bad.
I REALLY wouldn't want anything more than to code this myself, as I'm 100% sure this technique would work, and would make life a whole lot easier.
No more 'hunting' for victims, no more waiting at the pc, whenever a known client, of which we have the WEP/WPA(2) key, shows up, he will be auto-forced to join our softAP, using the same essid and encryption key he uses on his real AP.

So you'd be precracking all the WEP/ WPA(2) AP's in your range, setting those keys in the airbase-ng.conf, thus you'd be able to force every WEP/WPA(2) client in your range to associate to our fake ap, because the correct essid and encryption would be set, a Windows machine would auto-connect since we break their connection with their real AP using airdrop, there's no doubt about it, a 99% succes rate

in a nutshell, this would be the ultimate EVIL AUTOMATIC-AP.

I hope you guys understand what I mean which these new functions, 'cause it's not easy to explain this idea of mine, there's no need to be offensive if you don't like it, or if it sounds stupid, it's just what I think would be a neat addon

please, do share your opinion about this.

Excuse my weak english, I'm dutch.

Thanks,

.L

yet I still don't believe you get what I am trying to explain, it doesn't matter that it's WEP! it comes down to this: with what I tried to explain, you would have a 100% succes rate of forcing a WEP client to authenticate to your fake ap, I know WEP is death, and it can be cracked in about 60 seconds, I just wanted a fast method, because it's all about WINDOWS AUTO-RECONNECT TO KNOWN NETWORKS. anyway, I posted a second idea of mine, based on this one, and the great thing about it is that it could work for WPA/WPA2 clients aswell, airbase would need quit some recoding, and allow setting WPA encryption, but I believe it's possible. please read throught it carefully, and share your thoughts about it! thank you.

Re: Crazy future client WEP attack idea

What sort of input are you looking for exactly? Are you trying to determine whether this is possible? If so why dont you just try it? If you're successful you can explain how you did it and the benefits of it to us...

I do have to say that neither this or your other post is particularly easy to read. Proper capitalisation, sentence structure, paragraphing, formatting, providing an introduction or a summary etc all go a long way when you're expecting someone to read something that long.

Last edited by lupin; 03-04-2010 at 10:02 AM.

Capitalisation is important. It's the difference between "Helping your brother Jack off a horse" and "Helping your brother jack off a horse".

Re: Crazy future client WEP attack idea

the thing that's new, is that you would be able to attack any WEP client (that uses Windows, or Macintosh too I think) with MITM tools, or metasploit and such.

Well if you crack the wep (or wpa) key you can perform these attacks on the victims network. There is no point in redirecting to your evil AP. And if the victim has countermeasures installed it's unlikely he's using WEP or WPA with a weak password that you could brake altogether (in a short amount of time). And if he was I would suspect he's running a honeypot.

I do have to say that neither this or your other post is particularly easy to read. Proper capitalisation, sentence structure, paragraphing, formatting, providing an introduction or a summary etc all go a long way when you're expecting someone to read something that long.

Re: Crazy future client WEP attack idea

Well I would code it myself, but I haven't got the skills to do so. I would code my second WEP/WPA client attack idea IN A SECOND, 'cause I'm 100% sure it would be a nice upgrade, We've got all these tools, but I believe the time has come to turn them into one, and make stuff go more on auto-pilot.

Like I edited here on the top, this first idea is a long shot, and even if airbase would be recoded, it would only work for WEP clients. please read through my second idea, tell me what you think.